Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp62117ybp; Thu, 3 Oct 2019 10:11:35 -0700 (PDT) X-Google-Smtp-Source: APXvYqzbiJaqBNomD2nAcCuX+9p3pJLqrzAYIvjQWv1flaVydsdL26ipKlfixAJrz//kSyy9QGH+ X-Received: by 2002:a17:906:6bca:: with SMTP id t10mr8777808ejs.64.1570122695667; Thu, 03 Oct 2019 10:11:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570122695; cv=none; d=google.com; s=arc-20160816; b=oChAV4e5tw5hVYPj30WiSOS8SawR4gL8c0Bu1m4oybK7Iw5VB1njgPXgn/+Nz3Q/+E D7A6MGyhlSh3f/fEJBdKGqBmaOVXzRrlIODoz1OFZ4m57G+N6Kd0QGZUQD+DD+IjSsWb gW9HOU2lwKwDiQDEn+hOryGEwMTFAtQvElkkR7j3alScdX7l+ewTtmZMeQ6n+w2gtEa0 X+AXEIoI07HV//ddzQkxYrlKo6MBnN1YbWtlO+A5+9W5Tu3cO1UOPvBZs3XMa+M9DJ3z s9MI7Q4uAVCIwpZyXaQT3rfnfgDHZS4NE6nnOiMATQR99gGJwpZV4EEyhtQ4a64hCok7 njYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KqLfILVmJw0kd/1CY7tJpNqMrrzTZNJVSShm9UnT/8I=; b=qC8BSSKK0uSrGcxDVJ8h1lvB0UjK29d0dc6WPrtjl3PwDl3hIV3EByHR/o1zHU6vTu +mGQ/NHq8vFbGCFGhPtCRZ9MFDsoxVI8+iCnszIdwWDMX5WtyAQ9y3uHugWdJ4Py/uba LW51gGuA92oBVdE00a7bmoFTttQR9LMpKikG8c6CALIIhCn7LeMhZvtnNdbNyISpAMxe +9JiyxC3fQmyDA4OXZDRLqkiaVcycQp51Mv1fzYWGofNitm1/tuycfgeALuMQsaKGr83 pjIEPS+TnReYrh4rb7u4tIDdjWH1/b+yXMxbf3gthhgT+79+FITvM5A8ee3eeknXvBz/ vR9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=JNFTW0Zb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q4si1642962ejb.136.2019.10.03.10.11.10; Thu, 03 Oct 2019 10:11:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=JNFTW0Zb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2393428AbfJCRJi (ORCPT + 99 others); Thu, 3 Oct 2019 13:09:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:42316 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731952AbfJCQeE (ORCPT ); Thu, 3 Oct 2019 12:34:04 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 12F2C2133F; Thu, 3 Oct 2019 16:34:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570120443; bh=WfxDNclaPwQMRAUKsE1cmWMDs3Yv+dnYyxNB+8LnBpk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JNFTW0ZbNzTVdaXx9IC30sUcfTqhrAy4QqOG4NNf3zL7DVUUY+QmcXjP0acKtfZUm HH8QPXYtwUmsXFA/ey7nZDYm4DKDbHg/Wh6yy/xbtfUq4zPVHW2tPxmXM8Zb/GX+oU ALfGzejVIhEGWRr4tnz47c2ov5A6X8wjFUtyDpgk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jack Morgenstein , Leon Romanovsky , Jason Gunthorpe Subject: [PATCH 5.2 224/313] RDMA: Fix double-free in srq creation error flow Date: Thu, 3 Oct 2019 17:53:22 +0200 Message-Id: <20191003154555.095265867@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191003154533.590915454@linuxfoundation.org> References: <20191003154533.590915454@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jack Morgenstein commit 3eca7fc2d8d1275d9cf0c709f0937becbfcf6d96 upstream. The cited commit introduced a double-free of the srq buffer in the error flow of procedure __uverbs_create_xsrq(). The problem is that ib_destroy_srq_user() called in the error flow also frees the srq buffer. Thus, if uverbs_response() fails in __uverbs_create_srq(), the srq buffer will be freed twice. Cc: Fixes: 68e326dea1db ("RDMA: Handle SRQ allocations by IB/core") Link: https://lore.kernel.org/r/20190916071154.20383-5-leon@kernel.org Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Reviewed-by: Jason Gunthorpe Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/core/uverbs_cmd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -3477,7 +3477,8 @@ static int __uverbs_create_xsrq(struct u err_copy: ib_destroy_srq_user(srq, uverbs_get_cleared_udata(attrs)); - + /* It was released in ib_destroy_srq_user */ + srq = NULL; err_free: kfree(srq); err_put: